Re: Guardian 2.0 Testversion 011

Re: Guardian 2.0 Testversion 011

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 5305 bytes --]

Hi 5p9,

when you have installed the guardian 2.0 - 012 version on your IPFire
system with core update 89 you have brick your system.

> > IMPORTANT: You MUST NOT install/update to the new version if you are
> > using IPFire 2 - Core 89 or an older version!

If you still have access to it, downgrade guardian to version 011 or
upgrade the system to core 90 and reinstall guardian 012 afterwards
otherwise it will be really hard to get your system working again.

Best regards,

-Stefan
> Hi Stefan,
> 
> thx for updateing Guardian2. I use Core89 but the installversion 012
> is done with internal error by update the cache lang - do you need
> more information?
> 
> #update-lang-cache
> 
> update-lang-cache
> Can't locate Locale/Codes/Country.pm in @INC (@INC
> contains: /usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi /usr/lib/perl5/site_perl/5.12.3 /usr/lib/perl5/5.12.3/i586-linux-thread-multi /usr/lib/perl5/5.12.3 .) at /var/ipfire/general-functions.pl line 20.
> BEGIN failed--compilation aborted at /var/ipfire/general-functions.pl
> line 20.
> Compilation failed in require at //var/ipfire/lang.pl line 12.
> Compilation failed in require at -e line 1.
> 
> 
> The WUI say: 
> 
> Internal Server Error
> The server encountered an internal error or misconfiguration and was unable to complete
> your request.
> Please contact the server administrator, root(a)localhost and inform them of the time the error occurred,
> and anything you might have done that may have caused the error.
> More information about this error may be available in the server error log.
> Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1m PHP/5.3.27 Server at 192.168.XYZ.XYZ Port 444
> 
> On 10.05.2015 10:08, Stefan Schantl wrote:
> 
> > Hello again,
> > 
> > as promised I recently have uploaded a new test version of guardian 2.0
> > (012).
> > 
> > It mainly contains updated language and system files to pay attention to
> > the latest development efforts of IPFire core update 90.
> > 
> > As usual the new version can be downloaded from
> > http://people.ipfire.org/~stevee/guardian-2.0/
> > 
> > The installation / update works in the same way as described in the
> > planet post:
> > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
> > 
> > IMPORTANT: You MUST NOT install/update to the new version if you are
> > using IPFire 2 - Core 89 or an older version!
> > 
> > Please also create a backup of your files stored in
> > "/var/ipfire/guardian/", otherwise the will be overwritten by the
> > update!
> > 
> > Best regards,
> > 
> > -Stefan
> > > Hello followers,
> > > 
> > > at first I have to thanks to all of you which have joined the guardian
> > > 2.0 testing team. I've got a lot of positive feedback but also has been
> > > noticed about several tiny issues.
> > > 
> > > I've uploaded an updated test version to
> > > http://people.ipfire.org/~stevee/guardian-2.0/.
> > > 
> > > The installation / update works in the same way as described in the
> > > planet post:
> > > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
> > > 
> > > IMPORTANT: Please create a backup of your files stored in
> > > "/var/ipfire/guardian/", otherwise the will be overwritten by the
> > > update!
> > > 
> > > Changelog:
> > > 
> > > * Matthias Fischer detected some small problems in the "guardian.cgi"
> > > and provided some patches for them.
> > > http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=19d6abcce57be35c3bd43ebf45e37d69776f081e http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=0a6c3cb89642e2ff567993d810757425cf9ccce7 http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=82208c83c709da1f1c24fd9396e5d351f833fd91
> > > 
> > > * Blago Culjak informed me about problems on starting guardian and
> > > displaying it's status in the web interface. This behaviour only happens
> > > when the legacy version of guardian has been un-installed and not just
> > > replaced by the guardian. In the updated version contains the required
> > > file which is used by various IPFire scripts to detect if an addon is
> > > installed or not.
> > > 
> > > * The CLI switch "-d" called "debug mode" has been replaced by "-f" to
> > > launch guardian and run it in the foreground.
> > > http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=a58bd674863e1c4fd3cff457f1bd51e105c3eb2b
> > > 
> > > * Some new code has been added to prevent from starting multiple
> > > instances of guardian.
> > > http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=9d44c0d9952e67f6afad15e2940a5be6f1fe9094
> > > 
> > > Best regards,
> > > 
> > > -Stefan
> > > 
> > > 
> > > _______________________________________________
> > > Development mailing list
> > > Development(a)lists.ipfire.org
> > > http://lists.ipfire.org/mailman/listinfo/development
> > 
> > 
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Guardian 2.0 Testversion 011

[5p9]

[-- Attachment #1: Type: text/plain, Size: 2873 bytes --]

Hi,

after downgrade 11er Version and update-lang-cache run my System normal.

And Guardian2 looks like good! Thx for your Work Stefan...very nice.

BG, 5p9

Am 12.05.2015 um 21:19 schrieb Stefan Schantl:
> Hi 5p9,
> 
> when you have installed the guardian 2.0 - 012 version on your 
> IPFire system with core update 89 you have brick your system.
> 
>>> IMPORTANT: You MUST NOT install/update to the new version if 
>>> you are using IPFire 2 - Core 89 or an older version!
> 
> If you still have access to it, downgrade guardian to version 011 
> or upgrade the system to core 90 and reinstall guardian 012 
> afterwards otherwise it will be really hard to get your system 
> working again.
> 
> Best regards,
> 
> -Stefan
>> Hi Stefan,
>> 
>> thx for updateing Guardian2. I use Core89 but the installversion 
>> 012 is done with internal error by update the cache lang - do
>> you need more information?
>> 
>> #update-lang-cache
>> 
>> update-lang-cache Can't locate Locale/Codes/Country.pm in @INC 
>> (@INC contains: 
>> /usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi 
>> /usr/lib/perl5/site_perl/5.12.3 
>> /usr/lib/perl5/5.12.3/i586-linux-thread-multi 
>> /usr/lib/perl5/5.12.3 .) at /var/ipfire/general-functions.pl
>> line 20. BEGIN failed--compilation aborted at 
>> /var/ipfire/general-functions.pl line 20. Compilation failed in 
>> require at //var/ipfire/lang.pl line 12. Compilation failed in 
>> require at -e line 1.
>> 
>> 
>> The WUI say:
>> 
>> Internal Server Error The server encountered an internal error
>> or misconfiguration and was unable to complete your request.
>> Please contact the server administrator, root(a)localhost and
>> inform them of the time the error occurred, and anything you
>> might have done that may have caused the error. More information
>> about this error may be available in the server error log.
>> Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1m PHP/5.3.27
>> Server at 192.168.XYZ.XYZ Port 444
>> 
>> On 10.05.2015 10:08, Stefan Schantl wrote:
>> 
>>> Hello again,
>>> 
>>> as promised I recently have uploaded a new test version of 
>>> guardian 2.0 (012).
>>> 
>>> It mainly contains updated language and system files to pay 
>>> attention to the latest development efforts of IPFire core 
>>> update 90.
>>> 
>>> As usual the new version can be downloaded from 
>>> http://people.ipfire.org/~stevee/guardian-2.0/
>>> 
>>> The installation / update works in the same way as described
>>> in the planet post: 
>>> http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
>>>
>>>
>>>
>>> 
IMPORTANT: You MUST NOT install/update to the new version if you are
>>> using IPFire 2 - Core 89 or an older version!
>>> 
>>> Please also create a backup of your files stored in 
>>> "/var/ipfire/guardian/", otherwise the will be overwritten by 
>>> the update!
>>> 
>>> Best regards,
>>> 
>>> -Stefan

Re: Guardian 2.0 Testversion 011

[5p9]

[-- Attachment #1: Type: text/plain, Size: 474 bytes --]

Hi(a)all,

i have a question. My Fire has became the final Core-Update 90 (stable)
and guardian 2 have now display-lang-bugs in the cgi.

Must i wait to a newest Version of guardian 2   or can i do the steps he
told us?

As usual the new version can be downloaded from
http://people.ipfire.org/~stevee/guardian-2.0/

The installation / update works in the same way as described in the
planet post:
http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire


BG, 5p9

Re: Guardian 2.0 Testversion 011

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 1258 bytes --]

On 29.05.2015 00:32, 5p9 wrote:
> Hi(a)all,

Hi!

> i have a question. My Fire has became the final Core-Update 90 (stable)
> and guardian 2 have now display-lang-bugs in the cgi.

I think this is normal - and happened before - since the Guardian 
2.0-language strings seem to be not fully implemented in the language 
files shipped with the new Core update.

> Must i wait to a newest Version of guardian 2   or can i do the steps he
> told us?

I think you could either reinstall - which could lend to strings missing 
in other places so I would NOT recommend this - or simply copy the 
attached files to '/var/ipfire/addon-lang' and update the language cache 
starting "/usr/local/bin/update-lang-cache" from console. I hope I 
didn't miss a string. For me its looking good, no missing strings after 
updating.

This gives me the chance to repeat my proposal/feature request from here:
https://forum.ipfire.org/viewtopic.php?f=4&t=13524&p=84922&sid=3a921f770f3b4ce8e21a734f5c9af6f4#p84922

Using the '/var/ipfire/addon-lang'-directory for those addons would make 
things perhaps a bit easier.

Jm2C - Regards
Matthias

P.S.: Besides - update to Core 90 went ok by now, no probems detected. 
Good job - thanks! ;-)





[-- Attachment #2: guardian.de.pl --]
[-- Type: text/plain, Size: 2057 bytes --]

%tr = ( 
%tr,

'block' => 'Blocken',
'guardian' => 'Guardian',
'guardian alertfile' => 'Alertfile',
'guardian block a host' => 'Host blocken',
'guardian block httpd brute-force' => 'HTTPD Brute-Force Erkennung',
'guardian block owncloud brute-force' => 'Owncloud Brute-Force Erkennung',
'guardian block ssh brute-force' => 'SSH Brute-Force Erkennung',
'guardian blocked hosts' => 'Aktuell geblockte Hosts',
'guardian blockcount' => 'Blockzähler',
'guardian blocktime' => 'Blockzeit',
'guardian blocking of this address is not allowed' => 'Angegebene Addresse kann nicht geblockt werden.',
'guardian common settings' => 'Allgemeine Einstellungen',
'guardian configuration' => 'Guardian Konfiguration',
'guardian daemon' => 'Daemon',
'guardian enabled' => 'Guardian aktivieren',
'guardian empty input' => 'Fehlende Eingabe: Bitte geben Sie einen gültigen Host oder ein gültiges Netzwerk an.',
'guardian invalid alertfile' => 'Der angegebene Pfad zum "Alert file" ist ungültig.',
'guardian invalid address or subnet' => 'Ungültige Addresse oder Netzwerk.',
'guardian invalid blockcount' => 'Ungültige Anzahl: Bitte verwenden Sie eine natürliche Zahl größer als Null.',
'guardian invalid blocktime' => 'Ungültige Blockzeit: Bitte verwenden Sie eine natürliche Zahl größer als Null.',
'guardian invalid logfile' => 'Der angegebene Pfad zum "Ignore file" ist ungültig.',
'guardian ignored hosts' => 'Ignorierte Hosts',
'guardian ignorefile' => 'Ignorefile',
'guardian interface' => 'Interface',
'guardian logfile' => 'Logfile',
'guardian loglevel' => 'Loglevel',
'guardian no entries' => 'Aktuell sind keine Einträge vorhanden.',
'guardian not running no hosts can be blocked' => 'Guardian läuft nicht. Hosts werden nicht geblockt.',
'guardian priority level' => 'Prioritätslevel',
'guardian service' => 'Guardian Service',
'guardian snort alertfile' => 'Snort Alertfile',
'guardian timelimit' => 'Timelimit',
'guardian watch snort alertfile' => 'Monitor Snort alertfile',
'unblock' => 'Entblocken',
'unblock all' => 'Alle entblocken',

);

#EOF

[-- Attachment #3: guardian.en.pl --]
[-- Type: text/plain, Size: 1951 bytes --]

%tr = ( 
%tr,

'block' => 'Block',
'guardian' => 'Guardian',
'guardian alertfile' => 'Alertfile',
'guardian block a host' => 'Block Host',
'guardian block httpd brute-force' => 'HTTPD Brute-force detection',
'guardian block owncloud brute-force' => 'Owncloud Brute-force detection',
'guardian block ssh brute-force' => 'SSH Brute-force detection',
'guardian blocked hosts' => 'Currently blocked hosts',
'guardian blockcount' => 'Blockcount',
'guardian blocktime' => 'Blocktime',
'guardian blocking of this address is not allowed' => 'Blocking of the given address is not allowed.',
'guardian common settings' => 'Common settings',
'guardian configuration' => 'Guardian Configuration',
'guardian daemon' => 'Daemon',
'guardian enabled' => 'Enable guardian',
'guardian empty input' => 'Empty input: Please enter a valid host address or subnet.',
'guardian invalid alertfile' => 'The provided path for the alert file is not valid.',
'guardian invalid address or subnet' => 'Invalid host address or subnet.',
'guardian invalid blockcount' => 'Invalid BlockCount: Please provide a natural number higher than zero.',
'guardian invalid blocktime' => 'Invalid BlockTime: Please provide a natural number higher than zero.',
'guardian invalid logfile' => 'The provided path for the logfile is not valid.',
'guardian ignored hosts' => 'Ignored Hosts',
'guardian ignorefile' => 'Ignorefile',
'guardian interface' => 'Interface',
'guardian logfile' => 'Logfile',
'guardian loglevel' => 'Loglevel',
'guardian no entries' => 'No entries at the moment.',
'guardian not running no hosts can be blocked' => 'Guardian is not running. No hosts will be blocked.',
'guardian priority level' => 'Prioritylevel',
'guardian service' => 'Guardian Service',
'guardian snort alertfile' => 'Alertfile from Snort',
'guardian timelimit' => 'Timelimit',
'guardian watch snort alertfile' => 'Monitor Snort alertfile',
'unblock' => 'Unblock',
'unblock all' => 'Unblock all',

);

#EOF

Re: Guardian 2.0 Testversion 011

[5p9]

[-- Attachment #1: Type: text/plain, Size: 2140 bytes --]

Hi Fischer,

thx for help! :)

> I think this is normal - and happened before - since the Guardian
> 2.0-language strings seem to be not fully implemented in the language
> files shipped with the new Core update.
i think this, too.

> I think you could either reinstall - which could lend to strings missing
> in other places so I would NOT recommend this - or simply copy the
> attached files
Okay thx for this answer. I'll test and report it.

> This gives me the chance to repeat my proposal/feature request from here:
>
https://forum.ipfire.org/viewtopic.php?f=4&t=13524&p=84922&sid=3a921f770f3b4ce8e21a734f5c9af6f4#p84922
I know, I can remember me. Does that in a bugreport or wishlist?

Great job to "Core-Update90" IPFire-Team! GEOIPBlock rockt :D

5p9

Am 29.05.2015 um 01:28 schrieb Matthias Fischer:
> On 29.05.2015 00:32, 5p9 wrote:
>> Hi(a)all,
> 
> Hi!
> 
>> i have a question. My Fire has became the final Core-Update 90 (stable)
>> and guardian 2 have now display-lang-bugs in the cgi.
> 
> I think this is normal - and happened before - since the Guardian
> 2.0-language strings seem to be not fully implemented in the language
> files shipped with the new Core update.
> 
>> Must i wait to a newest Version of guardian 2   or can i do the steps he
>> told us?
> 
> I think you could either reinstall - which could lend to strings missing
> in other places so I would NOT recommend this - or simply copy the
> attached files to '/var/ipfire/addon-lang' and update the language cache
> starting "/usr/local/bin/update-lang-cache" from console. I hope I
> didn't miss a string. For me its looking good, no missing strings after
> updating.
> 
> This gives me the chance to repeat my proposal/feature request from here:
> https://forum.ipfire.org/viewtopic.php?f=4&t=13524&p=84922&sid=3a921f770f3b4ce8e21a734f5c9af6f4#p84922
> 
> 
> Using the '/var/ipfire/addon-lang'-directory for those addons would make
> things perhaps a bit easier.
> 
> Jm2C - Regards
> Matthias
> 
> P.S.: Besides - update to Core 90 went ok by now, no probems detected.
> Good job - thanks! ;-)

Re: Guardian 2.0 Testversion 011

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2880 bytes --]

Hello again,

as promised I recently have uploaded a new test version of guardian 2.0
(012).

It mainly contains updated language and system files to pay attention to
the latest development efforts of IPFire core update 90.

As usual the new version can be downloaded from
http://people.ipfire.org/~stevee/guardian-2.0/

The installation / update works in the same way as described in the
planet post:
http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire

IMPORTANT: You MUST NOT install/update to the new version if you are
using IPFire 2 - Core 89 or an older version!

Please also create a backup of your files stored in
"/var/ipfire/guardian/", otherwise the will be overwritten by the
update!

Best regards,

-Stefan
> Hello followers,
> 
> at first I have to thanks to all of you which have joined the guardian
> 2.0 testing team. I've got a lot of positive feedback but also has been
> noticed about several tiny issues.
> 
> I've uploaded an updated test version to
> http://people.ipfire.org/~stevee/guardian-2.0/.
> 
> The installation / update works in the same way as described in the
> planet post:
> http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
> 
> IMPORTANT: Please create a backup of your files stored in
> "/var/ipfire/guardian/", otherwise the will be overwritten by the
> update!
> 
> Changelog:
> 
> * Matthias Fischer detected some small problems in the "guardian.cgi"
> and provided some patches for them.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=19d6abcce57be35c3bd43ebf45e37d69776f081e http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=0a6c3cb89642e2ff567993d810757425cf9ccce7 http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=82208c83c709da1f1c24fd9396e5d351f833fd91
> 
> * Blago Culjak informed me about problems on starting guardian and
> displaying it's status in the web interface. This behaviour only happens
> when the legacy version of guardian has been un-installed and not just
> replaced by the guardian. In the updated version contains the required
> file which is used by various IPFire scripts to detect if an addon is
> installed or not.
> 
> * The CLI switch "-d" called "debug mode" has been replaced by "-f" to
> launch guardian and run it in the foreground.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=a58bd674863e1c4fd3cff457f1bd51e105c3eb2b
> 
> * Some new code has been added to prevent from starting multiple
> instances of guardian.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=9d44c0d9952e67f6afad15e2940a5be6f1fe9094
> 
> Best regards,
> 
> -Stefan
> 
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Guardian 2.0 Testversion 011

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 12390 bytes --]

Hello H&M,

sorry for my late response, the last few days have been very stressful
for me.
> Hi Stefan,
> 
> I do hope this time my e-mail reaches you...
> 
> I've accumulated some experience with Guardian, but my main experience is with Snort, snort used in different SIEMs.
> 
> Here are my recomandations for IPS/Guardian

Thanks for testing and providing your feedback, I really don't know why
your messages are not accepted by the mailing list. I've send a copy of
my answer, via CC to the development mailing list.
> 
> Recommendation 1:
> Please add to the ignore list the ability to add a comment to that IP being ignored. Reason: I do want to know why I've ignored all Snort alerts from that IP. (instead of doing a nice snort tuning and modify threshold.conf from snort for a specific list of SIDs).
> 
Accepted, I will schedule this for guardian 2.1.
> Note: for the record : ignoring an IP in Guardian does NOT reduce the load on CPU. Snort will continue to trigger alerts and log them. If IPFire is designed to work for small resource systems, I do recommend to move the ignore rule at snort level. I can provide snort logic for accomplishing that. 
> 
Sadly this is not possible, because the brute-force detection mechanisms
are not provided by snort.
> Recommendation 2:
> As a best practice before unblocking an IP (an offender) I do following steps that require additional data (data that will be nice to be provided by IPFire WUI / guardian-2.0-010 somehow). I am talking about information related to the IP that I want to unblock:
> 1.	What was the reason in the first place for IP being blocked. Recommendation: please add back to guardian.log as much as possible from the information generated in snort/alert file. Currently (guardian-2.0-010) the message in guardian.log is not helping in that direction
> 
> Current guardian-2.0-010 guardian.log message: 
> 
> Wed Feb 18 22:46:17 2015: Blocking 222.186.31.208: An active snort rule has matched and gained an alert.
> Wed Feb 18 23:18:15 2015: Blocking 123.249.24.160: An active snort rule has matched and gained an alert.
> 
> Old Guardian (based on perl) logging style was much better, please use the old logging style if possible:
> 
> Wed Feb 18 22:15:34 2015: 123.249.24.160        [1:2403344:1577] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 23
> Wed Feb 18 22:18:55 2015: 218.77.79.43  [1:2402000:3604] ET DROP Dshield Block Listed Source group 1
> Wed Feb 18 22:23:32 2015: expiring block of 141.212.121.203
> Wed Feb 18 22:26:31 2015: 61.240.144.66 [1:2402000:3604] ET DROP Dshield Block Listed Source group 1

Accepted, I will include this really important suggestion into the next
testing version.

> 
> 2.	If the reason is is a Policy EXE or DLL download this means that probably one of my laptops/desktops got spearfished and a malware is starting to bring additional files to the victim. Or, is just me downloading the new version of AdobleFlash. No matter the case, before unblocking the IP, I do check if the IP blocked by Guardian „kind of” safe. For that I do use / rely on following tools, tools that can be easily added to the Guardian status window as links. Here are the links format that can be added near each blocked IP:
> 
> a.	Virustotal. The format of the link is : https://www.virustotal.com/en/ip-address/a.b.c.d/information/  where a.b.c.d is the IP from GUARDIAN iptables chain. Example: https://www.virustotal.com/en/ip-address/61.240.144.66/information/ . Yes, even the mighty Akamai is listed as distributing malware. 
> b.	IPVOID (collection of RBL databases – most important one are related to TROJAN monitoring – like ZeusTracker). Format of the link is http://www.ipvoid.com/scan/a.b.c.d/ where a.b.c.d is the IP from GUARDIAN iptables chain. Example: http://www.ipvoid.com/scan/61.240.144.66/ 
> 
> 3.	Another awesome tool (but also heavy one!) I use before unblocking an offender is the DNS blacklist aggregator from http://multirbl.valli.org/. This tools checks the IP in a whopping 228 RBL databases! Yes, lots of false positives… but when you see the IP in more than 50% of the RBL databases you start to reconsider unblocking it. The format of the link is http://multirbl.valli.org/lookup/a.b.c.d.html where a.b.c.d is the IP from GUARDIAN iptables chain..Example http://multirbl.valli.org/lookup/61.240.144.66.html 
> 4.	Another tool I use to check for Phishing sites (IPs) is http://blog.gmane.org/gmane.comp.security.phishings .  Here is one example of a site that steals PayPals credentials, site that is also listed in VirusTotal but is not clear what the site is doing (the phishing part): Quaery: http://search.gmane.org/?query=218.208.237.174&group=gmane.comp.security.phishings 
> 
> From my experience, allowing a user to unblock/flush the GUARDIAN is bad because people do not posses so much knowledge about the reason embedded in the ET rules, rules that were used to trigger alerts and therefore Guardian block action.
> Giving to the user links to sites like VirusTotal & IPVoid will probably make them wonder themselves why the links are there (in the WUI) and use them before clearing an IP from the offenders list. 
> Second: the links will help them to better understand the ET Rule and why in the first place snort triggered an alert.
> 
> Another use case for the links for above sites, but this times for the IPs listed in Status - Connection: if a user sees tons of traffic to suspect sites it is good to be able to check the IPs to a collection of public available tools. I saw in last few months articles about legit sites being injected with redirect codes – see Forbes being attacked last year. Such attacks takes place daily - and unfortunately are successful. An advanced used will take a peak to the active connection and will check why his machines are opening so many connections and will try to see if some of them are legit (using any of the available sites listed above)  
> 
> Bottom line: if the IP that a user wants to unblock is listed on one of the above sites as distributing malware/Trojan, doing phishing,  or having +20000 Domains attached to it (yes, I’ve saw one with more than 20000 domain attached to the IP!), maybe they will leave that IP blocked.

I've seen your feature request on the bugtracker and your posts in the
forum thread. I thinks your suggestion would be a nice and handy
feature, but I don't agree in putting the icons and links into the
"Currently blocked Hosts" section inside the "guardian.cgi". 

I'm considering in extending the "ipinfo.cgi" and locating the icons +
links to the external sources on that page. The "ipinfo.cgi" is linked
from various logging pages, so this would offers the ability to use
those information services also for firewall hits, snort alerts etc.

> 
> 
> Recommendation 3:
> 
> As I wrote in the forum - please allow a user to unblock an IP for a limited period of time. The old guardian did that.
> The reason is this: I do prefer a limited hole in my security rather than a permanent one.
> Here is the use case: all of us does downloads/out machines does tons of downloads (Adobe- so many, Antivirus, Windows updates, XUbuntu updates, etc). 
> Snort will block them for various reasons: there are so mane RT rules for that.
> Me, as user, I do need that download, so I will be forced to add the IP to the ignore list. 
> 
> This is so bad: for a single time download (one update!) I've created a permanent hole in my IPS. And this holeis most of the time toward an IP that is a local cache (local mirror)! And the local cache provider does reutilize that Ip for so many domains: I've checked that! Many domains being dynamic, or listed in different blacklists. But if I've ignored all alerts for that IP...I am somehow working against my IPS. 
> 
> And, as I said above, the domains behind one IP can be thousands, IPs are reutilized (See Dynamic cloud servers services - like Amazon, 1&1, or even the provider IpFire Uses) - all these providers reutilize IPs for so many sites... 
> 
> Bottom line: a permanent hole is totally against IPS concept in my opinion.  I rather allow the traffic for a limited time, but after that IPS should block any further attempts for doing traffic with that IP if snort triggers alerts for IT.
> 
> 
Accepted, I will add an option for this in guardian 2.1.

> ============================================================================================================
> Errors - how to replicate them
> 
> I’ve managed to replicate Blago’s error like this: create 2 guardian processes in memory. If this is happening, I get same error message:
> 
> [root(a)dmx ~]#/etc/init.d/guardian status
> guardian is running with Process ID(s) 2928 2299.
> [root(a)dmx ~]# /etc/init.d/guardian stop
> /etc/init.d/guardian: line 33: [: 2928: binary operator expected
> 
> Here is a solution to have 2 guardian processes in memory:
> 
> [root(a)dmx ~]#guardian status
> 
> 
> There is an executable file named guardian besides the /etc/init.d/script. Making a call to that generates 2 guardian processes in memory. This has nothing to do with an old guardian version on IPFire. Is the same guardian...
> 
> Here are the 2 processes:
> 
> [root(a)dmx ~]#ps aux |grep guard
> root      2299  0.9  0.0   9296  3216 ?        S    20:31   0:01 /usr/bin/perl /usr/bin/guardian
> root      2928  0.0  0.0  10864  3328 pts/0    S    20:33   0:00 /usr/bin/perl /usr/bin/guardian status
> 
> After this, /etc/init.d/guardian fails to stop the guardian processes.
> Other impact observed: the WUI works OK and display as PID number the one from the line with “status” (= 2928), but Currently blocked hosts list is empty.
> [root(a)dmx ~]#  cat /run/guardian.pid
> 2928
> 
> ========================================================================================
> 
> Note: updating to 2.17 core 87 somehow put down my guardian.
> I need some time to rebuild it - the Web interface looks funny - lot of missing elements. Including the Guardian menu! (but the cgi is still on the disk and can be accessed manually).
> 
> 
> Best,
> H&M

Best regards,

-Stefan
> 
> -----Original Message-----
> From: Stefan Schantl [Masked] [mailto:FWD_eRROOjHG(a)opayq.com] 
> Sent: 28 februarie 2015 15:51
> To: 64f853bf(a)opayq.com
> Subject: Guardian 2.0 Testversion 011
> 
> Hello followers,
> 
> at first I have to thanks to all of you which have joined the guardian
> 2.0 testing team. I've got a lot of positive feedback but also has been noticed about several tiny issues.
> 
> I've uploaded an updated test version to http://people.ipfire.org/~stevee/guardian-2.0/.
> 
> The installation / update works in the same way as described in the planet post:
> http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
> 
> IMPORTANT: Please create a backup of your files stored in "/var/ipfire/guardian/", otherwise the will be overwritten by the update!
> 
> Changelog:
> 
> * Matthias Fischer detected some small problems in the "guardian.cgi"
> and provided some patches for them.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=19d6abcce57be35c3bd43ebf45e37d69776f081e http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=0a6c3cb89642e2ff567993d810757425cf9ccce7 http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=82208c83c709da1f1c24fd9396e5d351f833fd91
> 
> * Blago Culjak informed me about problems on starting guardian and displaying it's status in the web interface. This behaviour only happens when the legacy version of guardian has been un-installed and not just replaced by the guardian. In the updated version contains the required file which is used by various IPFire scripts to detect if an addon is installed or not.
> 
> * The CLI switch "-d" called "debug mode" has been replaced by "-f" to launch guardian and run it in the foreground.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=a58bd674863e1c4fd3cff457f1bd51e105c3eb2b
> 
> * Some new code has been added to prevent from starting multiple instances of guardian.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=9d44c0d9952e67f6afad15e2940a5be6f1fe9094
> 
> Best regards,
> 
> -Stefan
> 
> 
> 
> 


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Guardian 2.0 Testversion 011

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 252 bytes --]

Hi,

On 02.03.2015 21:20, Stefan Schantl wrote:
> Accepted, I will add this feature in a further version of guardian
> (2.1), please file a feature request on the bugtracker.

Done:

https://bugzilla.ipfire.org/show_bug.cgi?id=10764

Regards
Matthias

Re: Guardian 2.0 Testversion 011

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

Hi,

On 02.03.2015 21:20, Stefan Schantl wrote:
 > ...
> Sounds nice, the feature to view guardians logfile inside the web
> interface would be a huge benefit.
>
> Please share your "guardian_log.dat" file so it can be included.

Done:

http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=8d502be65ec10c634166984be26ff328801bb2c0

But beware, its *really* simple, perhaps needs polishing... ;-)

Regards
Matthias

Re: Guardian 2.0 Testversion 011

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

Hello Matthias,
> Hi,
> 
> Feedback:
> As far I can see, no problems here. Great! ;-)

Thanks for joining the testing team and providing your feedback.
> 
> I did several - personal - enhancements, perhaps you could think of it:
> 
> I altered the Logs menu, showing '/var/log/guardian/guardian.log', with 
> a *very* simple '/srv/web/ipfire/cgi-bin/logs.cgi/guardian_log.dat', and 
> a new entry in '/var/ipfire/menu.d/70-log.menu':
> 
> ...
> $sublogs->{'51.guardian'} = {'caption' => $Lang::tr{'guardian log'},
> 			'uri' => '/cgi-bin/logs.cgi/guardian_log.dat',
> 			'title' => "$Lang::tr{'guardian log'}",
> 			'enabled' => 1
> 			};
> ...
> 
Sounds nice, the feature to view guardians logfile inside the web
interface would be a huge benefit.

Please share your "guardian_log.dat" file so it can be included.
> I did the same some time ago with 'squid', so I thought of no problems 
> and it works. The underlying CGI is *really* simple, no comfort, but its 
> doing its job.
> 
> Second, I compiled 'guardianctrl.c' to REJECT, not to DROP and its 
> working either.
> 
> Feature request:
> User switch on GUI, to switch between REJECT and DROP. ;-)

Accepted, I will add this feature in a further version of guardian
(2.1), please file a feature request on the bugtracker.

Thanks in advance,

-Stefan
> 
> Regards
> Matthias


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Guardian 2.0 Testversion 011

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]

Hi,

Feedback:
As far I can see, no problems here. Great! ;-)

I did several - personal - enhancements, perhaps you could think of it:

I altered the Logs menu, showing '/var/log/guardian/guardian.log', with 
a *very* simple '/srv/web/ipfire/cgi-bin/logs.cgi/guardian_log.dat', and 
a new entry in '/var/ipfire/menu.d/70-log.menu':

...
$sublogs->{'51.guardian'} = {'caption' => $Lang::tr{'guardian log'},
			'uri' => '/cgi-bin/logs.cgi/guardian_log.dat',
			'title' => "$Lang::tr{'guardian log'}",
			'enabled' => 1
			};
...

I did the same some time ago with 'squid', so I thought of no problems 
and it works. The underlying CGI is *really* simple, no comfort, but its 
doing its job.

Second, I compiled 'guardianctrl.c' to REJECT, not to DROP and its 
working either.

Feature request:
User switch on GUI, to switch between REJECT and DROP. ;-)

Regards
Matthias
-- 
tails, linux, USB, CD, secure desktop, IRC, truecrypt, tor, onion

Re: Guardian 2.0 Testversion 011

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 4360 bytes --]

Hello Blago Culjak,
> Hello Stefan,
> I have updated, now seems fine. Will do even more testing in days to
> come.
> 
> I have two suggestions, one for community, other is for features in
> new version:
> 
> 1. I think that you should rename Guardian 2.0 to Intrusion
> Prevention. Lots of people don't know (outside Linux world) about this
> package, but they do know Intrusion Preventon, what stands for. This
> is unique feature of IPFire, and should be considered like that.
> Ofcourse, give credit to orginal Guardian. This is entirly up to
> Michael and Project leaders, but I think this is great feature, that
> must be better promoted.
> 
> Hey, IPFire has Guardian 2.0. What the hell is that?
> 
> or
> 
> Hey, IPFire has Intrusion Prevention. Ooo,nice...
> 
> See what I mean?
The decision was to keep the old name to give tribute to this really
great piece of software. The legacy version of guardian has been
introduced more than a decade ago. So I think the term "guardian" is
well known in the certain group of people which currently are using (or
have used) one of the various free and open firewall solutions out
there. Renaming the software to a different name will break those
recognition.

I don't agree in using a name like "IPS" or a similar one would
help anybody in the decision to use the software or not, nor to promote
it. 
> 2. Stefan, I have asked you, and I will try again. Can we make
> guardian even more better then just Intrusion Prevention? Can you
> block bad IP's that are destined from our network? Please have a look
> at the thread on forum.
> http://forum.ipfire.org/viewtopic.php?f=52&t=12639
> 
This is not really a guardian related issue, it affects the intrusion
detection system. Snort is currently not configured to monitor the
traffic inside the network zones or between them.

This will be one of the next points on my personal "todo-list" and
guardian 2.0 was just on of the first steps of extending IDS/IPS on
IPFire.

Best regards,

-Stefan
> Regards
> 
> 
> 
> Subject: Guardian 2.0 Testversion 011
> From: stefan.schantl(a)ipfire.org
> To: development(a)lists.ipfire.org
> Date: Sat, 28 Feb 2015 14:50:35 +0100
> 
> Hello followers,
>  
> at first I have to thanks to all of you which have joined the guardian
> 2.0 testing team. I've got a lot of positive feedback but also has been
> noticed about several tiny issues.
>  
> I've uploaded an updated test version to
> http://people.ipfire.org/~stevee/guardian-2.0/.
>  
> The installation / update works in the same way as described in the
> planet post:
> http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
>  
> IMPORTANT: Please create a backup of your files stored in
> "/var/ipfire/guardian/", otherwise the will be overwritten by the
> update!
>  
> Changelog:
>  
> * Matthias Fischer detected some small problems in the "guardian.cgi"
> and provided some patches for them.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=19d6abcce57be35c3bd43ebf45e37d69776f081e http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=0a6c3cb89642e2ff567993d810757425cf9ccce7 http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=82208c83c709da1f1c24fd9396e5d351f833fd91
>  
> * Blago Culjak informed me about problems on starting guardian and
> displaying it's status in the web interface. This behaviour only happens
> when the legacy version of guardian has been un-installed and not just
> replaced by the guardian. In the updated version contains the required
> file which is used by various IPFire scripts to detect if an addon is
> installed or not.
>  
> * The CLI switch "-d" called "debug mode" has been replaced by "-f" to
> launch guardian and run it in the foreground.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=a58bd674863e1c4fd3cff457f1bd51e105c3eb2b
>  
> * Some new code has been added to prevent from starting multiple
> instances of guardian.
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=9d44c0d9952e67f6afad15e2940a5be6f1fe9094
>  
> Best regards,
>  
> -Stefan
>  
> 
> 
> _______________________________________________ Development mailing
> list Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]